You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by co...@locus.apache.org on 2000/05/12 17:55:25 UTC
cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/core HttpSessionFacade.java HttpServletRequestFacade.java
costin 00/05/12 08:55:25
Modified: src/share/org/apache/tomcat/core
HttpServletRequestFacade.java
Added: src/share/org/apache/tomcat/core HttpSessionFacade.java
Log:
Added SessionFacade - its role is to shield servlets from tomcat internals, and
prevent access to the internal state.
The implementation is a bit complex - the "internal" object is an implementation
of HttpSession too, but it is generated from an external package that we don't control,
and it's good to be a bit paranoid about security.
( The input/output streams are the last "unsafe" objects exposed by tomcat, will
be fixed soon )
Revision Changes Path
1.11 +18 -4 jakarta-tomcat/src/share/org/apache/tomcat/core/HttpServletRequestFacade.java
Index: HttpServletRequestFacade.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/HttpServletRequestFacade.java,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- HttpServletRequestFacade.java 2000/04/21 20:45:02 1.10
+++ HttpServletRequestFacade.java 2000/05/12 15:55:25 1.11
@@ -1,7 +1,7 @@
/*
- * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/HttpServletRequestFacade.java,v 1.10 2000/04/21 20:45:02 costin Exp $
- * $Revision: 1.10 $
- * $Date: 2000/04/21 20:45:02 $
+ * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/HttpServletRequestFacade.java,v 1.11 2000/05/12 15:55:25 costin Exp $
+ * $Revision: 1.11 $
+ * $Date: 2000/05/12 15:55:25 $
*
* ====================================================================
*
@@ -85,6 +85,10 @@
private StringManager sm = StringManager.getManager(Constants.Package);
private Request request;
+ /** Used to shield the servlet from the internal implementation.
+ */
+ HttpSessionFacade sessionFacade;
+
private boolean usingStream = false;
private boolean usingReader = false;
@@ -106,6 +110,7 @@
// XXX In JDK1.2, call a security class to see if the code has
// the right permission !!!
this.request = request;
+ sessionFacade=new HttpSessionFacade();
}
/** Not public - is called only from RequestImpl
@@ -113,6 +118,7 @@
void recycle() {
usingReader=false;
usingStream=false;
+ sessionFacade.recycle();
}
public Object getAttribute(String name) {
@@ -252,7 +258,15 @@
}
public HttpSession getSession(boolean create) {
- return request.getSession(create);
+ HttpSession realSession = request.getSession( create );
+ // No real session, return null
+ if( realSession == null ) {
+ sessionFacade.recycle();
+ return null;
+ }
+
+ sessionFacade.setRealSession( realSession );
+ return sessionFacade;
}
public BufferedReader getReader() throws IOException {
1.1 jakarta-tomcat/src/share/org/apache/tomcat/core/HttpSessionFacade.java
Index: HttpSessionFacade.java
===================================================================
/*
* ====================================================================
*
* The Apache Software License, Version 1.1
*
* Copyright (c) 1999 The Apache Software Foundation. All rights
* reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. The end-user documentation included with the redistribution, if
* any, must include the following acknowlegement:
* "This product includes software developed by the
* Apache Software Foundation (http://www.apache.org/)."
* Alternately, this acknowlegement may appear in the software itself,
* if and wherever such third-party acknowlegements normally appear.
*
* 4. The names "The Jakarta Project", "Tomcat", and "Apache Software
* Foundation" must not be used to endorse or promote products derived
* from this software without prior written permission. For written
* permission, please contact apache@apache.org.
*
* 5. Products derived from this software may not be called "Apache"
* nor may "Apache" appear in their names without prior written
* permission of the Apache Group.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
* USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the Apache Software Foundation. For more
* information on the Apache Software Foundation, please see
* <http://www.apache.org/>.
*
* [Additional notices, if required by prior licensing conditions]
*
*/
package org.apache.tomcat.core;
import org.apache.tomcat.session.*;
import org.apache.tomcat.util.StringManager;
import java.io.*;
import java.net.*;
import java.util.*;
import javax.servlet.*;
import javax.servlet.http.*;
/**
* Facade for http session. Used to prevent servlets to access
* internal tomcat objects.
*
* This is a "special" facade - since session management is
* (more or less) orthogonal to request processing, it is
* indpendent of tomcat architecture. It will provide a
* HttpSession implementation ( but it's not guaranteed
* in any way it is "safe" ), and HttpSessionFacade will
* act as a "guard" to make sure only servlet API public
* methods are exposed.
*
* Another thing to note is that this object will be recycled
* and will allways be set in a request. The "real" session
* object will determine if the request is part of a session.
*
* @author James Duncan Davidson [duncan@eng.sun.com]
* @author Jason Hunter [jch@eng.sun.com]
* @author James Todd [gonzo@eng.sun.com]
* @author costin@eng.sun.com
*/
public final class HttpSessionFacade implements HttpSession {
HttpSession realSession;
HttpSessionFacade() {
}
/** Package-level method - accessible only by core
*/
void setRealSession(HttpSession s) {
realSession=s;
}
/** Package-level method - accessible only by core
*/
void recycle() {
realSession=null;
}
public String getId() {
return realSession.getId();
}
public long getCreationTime() {
return realSession.getCreationTime();
}
/**
* We return our own "disabled" SessionContext -
* regardless of what the real session returns.
*
* @deprecated
*/
public HttpSessionContext getSessionContext() {
return new SessionContextImpl();
}
public long getLastAccessedTime() {
return realSession.getLastAccessedTime();
}
public void invalidate() {
realSession.invalidate();
}
public boolean isNew() {
return realSession.isNew();
}
/**
* @deprecated
*/
public void putValue(String name, Object value) {
realSession.putValue(name, value);
}
public void setAttribute(String name, Object value) {
realSession.setAttribute( name, value );
}
/**
* @deprecated
*/
public Object getValue(String name) {
return realSession.getValue(name);
}
public Object getAttribute(String name) {
return realSession.getAttribute(name);
}
/**
* @deprecated
*/
public String[] getValueNames() {
return realSession.getValueNames();
}
public Enumeration getAttributeNames() {
return realSession.getAttributeNames();
}
/**
* @deprecated
*/
public void removeValue(String name) {
realSession.removeAttribute(name);
}
public void removeAttribute(String name) {
realSession.removeAttribute(name);
}
public void setMaxInactiveInterval(int interval) {
realSession.setMaxInactiveInterval( interval );
}
public int getMaxInactiveInterval() {
return realSession.getMaxInactiveInterval();
}
}